TrustStore: Generate certificates for tests (#3493)

go/lib/infra/modules/trust/v2/testdata/gen_crypto_tar.sh

@@ -2,24 +2,43 @@
 
 # usage: gen_crypto_tar.sh <scion-pki> <output-file>
 #
+# This script is run by bazel to generate the testsdata for the trust store
+# tests. Crypto material needs to generate dynamically and cannot be commited
+# to the tree because it expires. To use the regular go toolchain, create the
+# crypto.tar by running the follwing command from the porject root:
+#
+# ```./go/lib/infra/modules/trust/v2/testdata/gen_crypto_tar.sh```
+#
 # Example: (generate crypto tar from root dir)
 # CRYPTO_PATH="./go/lib/infra/modules/trust/v2/testdata"
 # $CRYPTO_PATH/gen_crypto_tar.sh ./bin/scion-pki $CRYPTO_PATH/crypto.tar
 set -e
 
+PKIBIN=${1:-./bin/scion-pki}
+OUTDIR=${2:-./go/lib/infra/modules/trust/v2/testdata/crypto.tar}
+
 TMP=`mktemp -d`
 
-$1 v2 tmpl topo -d $TMP ./topology/Default.topo > /dev/null
-$1 v2 keys private -d $TMP "*-*" > /dev/null
+# Generate config files for the default topology.
+$PKIBIN v2 tmpl topo -d $TMP ./topology/Default.topo > /dev/null
+# Generate the private keys for all ASes under $TMP/ISD*/AS*/keys.
+$PKIBIN v2 keys private -d $TMP "*-*" > /dev/null
 
-$1 v2 trcs gen -d $TMP "*" > /dev/null
+# Generate the base TRCs for all ISDs under $TMP/ISD*/trcs/ISD*-V1.trc.
+$PKIBIN v2 trcs gen -d $TMP "*" > /dev/null
+# Generate three additional updates for ISD 1 under $TMP/ISD1/trcs/ISD1-V{2..4}.trc.
 for i in {2..4}
 do
     sed -e "s/^version = 1/version = $i/g" \
         -e 's/^votes = \[\]/votes = \["ff00:0:110", "ff00:0:120"\]/g' \
         -e 's/^grace_period = "0s"/grace_period = "1h"/g' \
         $TMP/ISD1/trc-v1.toml > $TMP/ISD1/trc-v$i.toml
-    $1 v2 trcs gen -d $TMP --version $i "1" > /dev/null
+    $PKIBIN v2 trcs gen -d $TMP --version $i "1" > /dev/null
 done
 
-tar -C $TMP -cf $2 .
+# Generate the issuer certificates for all issuing ASes under $TMP/ISD*/AS*/certs/*.issuer.
+$PKIBIN v2 certs issuer -d $TMP "*-*" > /dev/null
+# Generate the certificate chains for all ASes under $TMP/ISD*/AS*/certs/*.crt.
+$PKIBIN v2 certs chain -d $TMP "*-*" > /dev/null
+
+tar -C $TMP -cf $OUTDIR .

go/tools/scion-pki/internal/v2/certs/BUILD.bazel

@@ -25,6 +25,7 @@ go_library(
         "//go/tools/scion-pki/internal/v2/keys:go_default_library",
         "//go/tools/scion-pki/internal/v2/trcs:go_default_library",
         "@com_github_spf13_cobra//:go_default_library",
+        "@org_golang_x_xerrors//:go_default_library",
     ],
 )
 

go/tools/scion-pki/internal/v2/certs/loader.go

@@ -19,13 +19,17 @@ import (
 	"regexp"
 	"strconv"
 
+	"golang.org/x/xerrors"
+
 	"github.com/scionproto/scion/go/lib/addr"
 	"github.com/scionproto/scion/go/lib/scrypto"
 	"github.com/scionproto/scion/go/lib/serrors"
 	"github.com/scionproto/scion/go/tools/scion-pki/internal/pkicmn"
 	"github.com/scionproto/scion/go/tools/scion-pki/internal/v2/conf"
 )
 
+var errNoFilesFound = serrors.New("no config files found")
+
 type loader struct {
 	Dirs    pkicmn.Dirs
 	Version scrypto.Version
@@ -41,7 +45,11 @@ func (l loader) LoadIssuerConfigs(asMap pkicmn.ASMap) (map[addr.IA]conf.Issuer,
 	for _, ias := range asMap {
 		for _, ia := range ias {
 			file, err := l.selectConfig(ia, s)
-			if err != nil {
+			switch {
+			case xerrors.Is(err, errNoFilesFound):
+				pkicmn.QuietPrint("Ignoring AS without issuer certificate config: %s\n", ia)
+				continue
+			case err != nil:
 				return nil, serrors.WrapStr("unable to select config", err, "ia", ia)
 			}
 			cfg, err := conf.LoadIssuer(file)
@@ -86,7 +94,7 @@ func (l loader) selectConfig(ia addr.IA, s selector) (string, error) {
 		return "", serrors.WrapStr("unable to search all available versions", err)
 	}
 	if len(files) == 0 {
-		return "", serrors.WrapStr("no config files found", err)
+		return "", errNoFilesFound
 	}
 	max, err := findMaxVersion(files, s.Regex)
 	if err != nil {